Millions of Brits risking fraud by writing down PINs - Which?

It seems that every card issuer assumes that their card is the only one in a consumers wallet!  Isn't this one of the great ironies of the system?  We are told not to write down our PINs, and yet also NOT to use the same PIN for more than one purpose.  Well if you have several internet and phone banking relationships, and several cards, all with different PINs, how can you not write down a PIN?  It's impossible for most of us to remember all of our PINs without recording them in some way...........isn't it?  Yes we should take every reasonable step to protect our PINs - but we also need to remember them.

It's all very well to suggest that one commits ones PIN to memory and does not write it down. But whoever came up with this sage piece of advice is assuming that the user has a single bank card and absolutely nothing else in the way of a PIN or password. Either that or they are oblivious to reality. The plethora of rules and restrictions, especially in the construction of PINs which varies from institution to institution has already sown the seeds of confusion. Just assume that card "A" requires a 4 digit PIN while card "B" demands a 6 digit PIN and that in neither case are any sequential digits allowed. Then throw in card "C" which has a bank allocated 5 digit PIN. Three cards and we already have confusion. Add to this mix the fact that one may have Internet access to all three institutions and that each demands a different user name and password, often consisting of a combination of digits and letters and which has to be changes on a regular basis. No way can I personally function on memory alone. And that is the reason why my list of PINs, Passwords, Access Codes and the like which enables me to run my life is five pages long. It's time we each have a universal unbreakable PIN that works for everything.

Call me cynical, but isn't it almost in the interests of the banks to leave this loophole open to them?  Its a catch 22 - to be crystal clear with authentication and non-repudiation, a PIN is black and white.  Much easier for a bank to judge than a physical signature for example.  But to have even a few PINs means you must must some kind of note, log, system to record them somehow, and thereby provides the banks with a possible exit from liability in cases where they might really need it.  Much easier to claim you have written down your PIN and invalidated any protection on the resulting transaction, than prove that they never expose your PIN internally for example.

I wonder what the law would say about PIN reminders and hints?  Is that OK? (e.g. my favorite month and the year my dog died??)

Ross Anderson has written a blog post on this topic, which backs up some of the earlier commenters: "PINs and the burden on customers". In it, he also mentions a radio interview with an APACS spokesman, Mark Bowerman, who tells customers to change their PINs to the same number (contradicting the advice given by the same spokesman in the Which? article).